via The Hacker News
Thursday, May 21, 2020
Ukrainian Police Arrest Hacker Who Tried Selling Billions Of Stolen Records
The Ukrainian police have arrested a hacker who made headlines in January last year by posting a massive database containing some 773 million stolen email addresses and 21 million unique plaintext passwords for sale on various underground hacking forums. In an official statement released on Tuesday, the Security Service of Ukraine (SBU) said it identified the hacker behind the pseudonym "Sanix
via The Hacker News
via The Hacker News
Learning Web Pentesting With DVWA Part 1: Installation
In this tutorial series I'm going to walk you through the damn vulnerable web application (DVWA) which is damn vulnerable. Its main goal according to the creators is "to aid security professionals to test thier skills and tools in a legal environment, help web developers better understand the process of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment."
I am going to install DVWA in docker so the prerequisite for this tutorial will be an installation of docker (Docker is not the only way to install DVWA but if you have docker already installed then it may be the easiest way to install DVWA).
To install DVWA in docker run your docker deamon if it's not running already and open a terminal or powershell and type:
docker rum --rm -it -p 8080:80 vulnerables/web-dvwa
It will take some time to pull the image from docker hub depending on your internet speed and after it is complete it will start the dvwa application. In the command we have mapped the image instance's port 80 to our hosts port 8080 so we should be able to access the web application from our host at http://localhost:8080
Now open your favorite web browser and go to http://localhost:8080
You should be prompted with a login screen like this:
login with these creds:
username: admin
password: password
After login you'll see a database setup page since this is our first run. Click on Create / Reset Database button at the bottom. It will setup database and redirect you to login page. Now login again and you'll see a welcome page.
Now click on DVWA Security link at the bottom of the page navigation and make sure the security level is set to Low. If it is not click on the dropdown, select Low and then click submit.
Now our setup is complete, so lets try a simple SQL attack to get a taste of whats about to come.
Click on SQL Injection in navigation menu.
You'll be presented with a small form which accepts User ID.
Enter a single quote (') in the User ID input field and click Submit.
You'll see an SQL error like this:
From the error message we can determine that the server has a MariaDB database and we can see the point of injection.
Since there are many quotes we are not able to determine the exact location of our injection. Lets add some text after our single quote to see exactly where our injection point is.
Now I am going to enter 'khan in the User ID field and click Submit.
Now we can see exactly where the point of injection is. Determining the point of injection is very important for a successful SQL injection and is sometimes very hard too, though it might not be that much useful here in this exercise.
Now lets try the very basic SQL Injection attack.
In the User ID field enter ' or 1=1-- - and click Submit.
We will explain what is going on here in the next article.
References:-
1. DVWA Official Website: http://www.dvwa.co.uk/
Related articles
CEH Practical: Information-Gathering Methodology
Footprinting
Footprinting is defined as the process of establishing a scenario or creating a map of an organization's network and systems. Information gathering is also known as footprinting an organization. Footprinting is an important part of reconnaissance process which is typically used for collecting possible information about a targeted computer system or network. Active and Passive both could be Footprinting. The example of passive footprinting is assessment of a company's website, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering. Basically footprinting is the beginning step of hacker to get hacked someone because having information about targeted computer system is the main aspect of hacking. If you have an information about individual you wanna hack so you can easily hacked that individual. The basic purpose of information gathering is at least decide what type of attacks will be more suitable for the target. Here are some of the pieces of information to be gathered about a targetduring footprinting:
- Domain name
- Network blocks
- Network services and applications
- System architecture
- Intrusion detection system
- Authentication mechanisms
- Specific IP addresses
- Access control mechanisms
- Phone numbers
- Contact addresses
Footprinting Tools
Footprinting can be done using hacking tools, either applications or websites, which allow the hacker to locate information passively. By using these footprinting tools, a hacker can gain some basic information on, or "footprint," the target. By first footprinting the target, a hacker can eliminate tools that will not work against the target systems or network. For example, if a graphics design firm uses all Macintosh computers, then all hacking software that targets Windows systems can be eliminated. Footprinting not only speeds up the hacking process by eliminating certain tool sets but also minimizes the chance of detection as fewer hacking attempts can be made by using the right tool for the job. Some of the common tools used for footprinting and information gathering are as follows:- Domain name lookup
- Whois
- NSlookup
- Sam Spade
Footprinting a Target
Footprinting is part of the preparatory pre-attack phase and involves accumulating data regarding a target's environment and architecture, usually for the purpose of finding ways to intrude into that environment. Footprinting can reveal system vulnerabilities and identify the ease with which they can be exploited. This is the easiest way for hackers to gather information about computer systems and the companies they belong to. The purpose of this preparatory phase is to learn as much as you can about a system, its remote access capabilities, its ports and services, and any specific aspects of its security.DNS Enumeration
DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. A company may have both internal and external DNS servers that can yield information such as usernames, computer names, and IP addresses of potential target systems.NSlookup and DNSstuff
One powerful tool you should be familiar with is NSlookup (see Figure 2.2). This tool queries DNS servers for record information. It's included in Unix, Linux, and Windows operating systems. Hacking tools such as Sam Spade also include NSlookup tools. Building on the information gathered from Whois, you can use NSlookup to find additional IP addresses for servers and other hosts. Using the authoritative name server information from Whois ( AUTH1.NS.NYI.NET ), you can discover the IP address of the mail server.Syntax
nslookup www.sitename.com
nslookup www.usociety4.com
 |
| Performing DNS Lookup |
Understanding Whois and ARIN Lookups
Whois evolved from the Unix operating system, but it can now be found in many operating systems as well as in hacking toolkits and on the Internet. This tool identifies who has registered domain names used for email or websites. A uniform resource locator (URL), such as www.Microsoft.com , contains the domain name ( Microsoft.com ) and a hostname or alias ( www ).The Internet Corporation for Assigned Names and Numbers (ICANN) requires registration of domain names to ensure that only a single company uses a specific domain name. The Whois tool queries the registration database to retrieve contact information about the individual or organization that holds a domain registration.
Using Whois
- Go to the DNSStuff.com website and scroll down to the free tools at the bottom of the page.
- Enter your target company URL in the WHOIS Lookup field and click the WHOIS button.
- Examine the results and determine the following:
- Registered address
- Technical and DNS contacts
- Contact email
- Contact phone number
- Expiration date
- Visit the company website and see if the contact information from WHOIS matches up to any contact names, addresses, and email addresses listed on the website.
- If so, use Google to search on the employee names or email addresses. You can learn the email naming convention used by the organization, and whether there is any information that should not be publicly available.
Syntax
whois sitename.com
whois usociety4.com
Wednesday, May 20, 2020
OWASP API Security Project Media Coverage
A list of must read articles on OWASP API Security Project:
- 10/3/19, APISecurity.IO (UMV: 1,510): Issue 51: Gartner Releases Full Report on API Security
- 10/2/19, ADT Magazine (UMV: 117,500): API Security Project Identifies Top 10 Vulnerabilities
- 9/26/19, Dark Reading (UMV: 57,800): Why You Need to Think About API Security
- 9/24/19, The Daily Swig (UMV: 30,500): OWASP Reveals Top 10 Security Threats Facing API Ecosystem
- 9/20/19, Security Boulevard (UMV: 29,100): New OWASP List Highlights API Security Holes
- 9/13/19, Security Boulevard (UMV: 29,100): Why You Need to Be Thinking About API Security
- 9/13/19, CyberWire (UMV: 49,380): Daily Briefing: OWASP API Security Project
- 9/12/19, Dark Reading (UMV: 57,800): APIs Get Their Own Top 10 Security list
- Also included in Dark Reading's weekly newsletter on 9/19/19
BurpSuite Introduction & Installation
What is BurpSuite?
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.
In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.
Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.
BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.
Requirements and assumptions:
Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed
Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.
on for Firefox from https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.
Video for setup and installation.
You need to install compatible version of java , So that you can run BurpSuite.
Open Sesame - A Tool Which Runs To Display Random Publicly Disclosed Hackerone Reports When Bored
A python tool which runs to display random publicly disclosed Hackerone reports when bored. Automatically opens the report in browser.
Contains Over 8k Publicly disclosed Hackerone reports and addtl. wordlist of ~700 bug bounty writeups.This is a productivity tool for security enthusiasts and bug bounty hunters. I have written a blog here giving my idea of how to use this efficiently.
Launching Open Sesame!
Additional features include:
- Opening URL from custom wordlist which has bug bounty writeups.
- Fetching and Updating the newly disclosed Hackerone publicly disclosed reports.
Usage:
Pl install components in rquirements.txt
python3 default.py Opens a random magic URL from the collection of publicly disclosed h1 reports.
python3 default.py --custom Opens a random magic URL from the collection of custom wordlist having bug bounty writeups.
python3 default.py --refresh Refreshes and adds newly publicly disclosed h1 reports to your file(final.txt)
Known Issues
- The ability of not able to distinguish between completely publicly disclosed reports and reports with limited disclosures.
- The tool may break in the way of how it works if it gets run after a long time. The default range specified is scraping 10 pages to reduce load on the site. If you believe you are running it after a long time, consider increasing the range upto 50 in main for loop in refresh.py before running. This will enable collecting all the reports till the recent report extracted in the final.txt.
Thanks
- h1.nobbd(dot)de
- bugreader(dot)com
- Awesome-Bugbounty-Writeups Repo
- and other helpful sources.. :)
via KitPloit
Related articles
Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team
It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.
I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.
Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:
There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:
The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.
The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242
The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125
The flag:
EKO{vsftpd_dejavu}
The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor
The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor
Related posts
Nemesis: A Packet Injection Utility
"Nemesis is a command-line network packet injection utility for UNIX-like and Windows systems. You might think of it as an EZ-bake packet oven or a manually controlled IP stack. With Nemesis, it is possible to generate and transmit packets from the command line or from within a shell script. Nemesis attacks directed through fragrouter could be a most powerful combination for the system auditor to find security problems that could then be reported to the vendor(s)." read more...Website: http://www.packetfactory.net/projects/nemesis
Read more
Ukrainian Police Arrest Hacker Who Tried Selling Billions Of Stolen Records
The Ukrainian police have arrested a hacker who made headlines in January last year by posting a massive database containing some 773 million stolen email addresses and 21 million unique plaintext passwords for sale on various underground hacking forums. In an official statement released on Tuesday, the Security Service of Ukraine (SBU) said it identified the hacker behind the pseudonym "Sanix
via The Hacker NewsContinue reading
via The Hacker NewsContinue reading
Tuesday, May 19, 2020
Linux Command Line Hackery Series: Part 1
In this concise article we will learn some basics of how to use Linux Command line, so lets get started.
Requirements:
1. An open Terminal in your Linux Box. I'm using Kali Linux 2.0or you can check out this amazing website Webminal
Command: ls
Syntax: ls [flag(s)]
Function: ls is short for list. ls command is used to list the contents of a directory these contents include files, folders, and links. ls has many optional flags as well, some of them are described below
Flags: -a this flag is used to view hidden files that is those files whose names are preceded by a '.'(dot)
-l this flag is used to view file permissions, owner of the file, group of the owner, the file size, the modification date, and the filename. We'll talk more about it in later articles.
Command: mkdir
Syntax: mkdir dirname
Function: mkdir is used to create a directory (or a folder) with the name which is followed by the command
now lets create a directory in our current directory named as myfiles, how would you do that?
mkdir myfiles
which command should we use in order to verify that the directory has been created in our current folder?
ls
this will list all the files and directories in our current folder. Do you see myfiles directory listed?
Command: cd
Syntax: cd path/to/directory
Function: cd is short for change directory. It is used to navigate directories, or to make it clear it does the same thing as what double clicking on a folder do except it doesn't show you contents of the directory :(. In order to navigate or visit another directory we need to provide it's ABSOLUTE-PATH or RELATIVE-PATH you heard that, didn't ya?
Paths are of two types relative path or absolute path (also called full-path). Relative as the name suggests is relative to the current directory, so if you have to navigate to a folder within the current directory you'll just simply type cd directory_name. But what if you have to navigate to a directory which is the parent of current directory? Well it's easy just type cd .. (yes double dots, you noticed that .. and . thing when you typed ls -a, didn't you?). The double dots mean the directory above current directory (i,e the parent directory) and a single dot means the current directory (i,e the directory that I'm currently in). Now if you have to navigate two directories above current directory using relative path navigation you'll type
cd ../..
here .. means previous directory and another .. after slash (/) means the previous directory of the previous directory sounds confusing..!
The Absolute Path means full path to the file or folder which starts from root directory. Say I want to navigate to my home folder using absolute path, then I'll type:
cd /home/user
where user is the username
Now think of navigating to the myfiles folder from your home directory using the absolute path, it will be something like this:
cd /home/user/myfiles
Exercise: Create a directory project1 inside your home directory and inside the project1 directory create a file and a directory named index.html and css respectively. Then navigate to the css directory and create a style.css file inside it. At last navigate out of the css directory to home both using the relative and absolute path mechanisms.
[Trick: To get quickly out of any directory to your home directory type cd ~ [press Enter] or simply cd [press Enter]]
Command: touch
Syntax: touch filename
Function: touch is a nifty little function used to create an empty file (actually it's used to change access time of a file but everyone has got bad habits :P ). You can create any type of empty file with the touch command. If you are a bit curious about touch read the manual page of the touch command using the man touch command.
Now lets create a few files inside of our myfiles directory
touch file1 file2 file3
The above command creates three empty files in our current directory named file1, file2, and file3.
How will you verify that it has indeed created these three files in your current directory? I won't answer this time.
Command: echo
Syntax: echo Hacker manufacturing under process
Function: echo is used to display a line of text. By default echo displays a line of text on the terminal which is the standard output device (stdout for short). However we can redirect the output of an echo command to a file using > (the greater than symbol).
Now if we have to echo a line of text to a file, say file1 in our myfiles directory, we will type:
echo This is file1 > file1
The above command will echo the text "This is file1" to file1.
Command: cat
Syntax: cat filename [anotherfilename...]
Function: cat stands for concatenate (not that puny little creature in your house). The main function of cat is to concatenate files and display them on your terminal (or in geeky terms stdout). But its also used to display the contents of a file on your terminal.
Let's display the contents of file1 in the myfiles directory that we echoed to it using the echo command, for that we'll type:
cat file1
Awesome I can see on black screen contents of my file (what if your terminals background is white?), looks like I'm becoming a hacker. In case you don't see it then I suggest you should give up the thought of becoming a hacker. Just kidding you might have missed a step or two from the above steps that we performed.
Now lets say that we want to add another line of text to our file using the echo command should we use the same greater than (>) symbol? No, if we want to add another line (which in geeky terms is to append a line) to our file using the echo command we have to use >> (two greater than symbols) like this:
echo Another line of text >> file1
now to check the contents of file1 we'll type:
cat file1
OK we wrote two lines inside of the file1.
Does it mean we have to add three greater than symbols to write third line? Oh! I didn't thought you'd be such a genius.
A single greater than symbol (>) means redirect the output of the preceding command to a file specified after the > symbol. If the file exists then overwrite everything that's in it with the new contents and if the file does not exist then create one and write to it the output of the preceding command. So if you had typed
echo Another line of text > file1
it would have overwritten the contents of the file1 with "Another line of text" and the line "This is file1" would no longer be present in the file.
Two greater than symbols (>>) mean that append (remember the geeky term?) the output of the previous command to the end of file specified after >>. Now if you want to add another line of text to file1, you won't use >>> rather you'll use >> like this:
echo Third line in file1 >> file1
This is it for today. But don't worry we'll learn more things soon.
Related word
Related word
Subscribe to:
Posts (Atom)